| Version | Supported |
|---|---|
| main | ✅ |
If you discover a security vulnerability in this project, please report it responsibly:
- Do NOT open a public issue for security vulnerabilities
- Contact Rudiger (site keeper) or use GitHub's private vulnerability reporting
- Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and provide a more detailed response within 7 days.
This project implements the following security measures:
- Workflows use minimal required permissions
- Fork PRs require maintainer approval before running workflows
- Secrets are never exposed in logs
- Dependencies are automatically scanned via Dependabot
- GitHub OIDC authentication (no long-lived AWS credentials)
- IAM roles follow least-privilege principle
- S3 bucket is private; content served only through CloudFront
- CloudFront distribution uses HTTPS only (TLS 1.2+)
- Content Security Policy (CSP) headers via CloudFront
- Security headers: HSTS, X-Frame-Options, X-Content-Type-Options
- Static site only (no API endpoints, no user input handling)
- No secrets or credentials committed to repository
- Dependencies regularly audited for vulnerabilities
- TypeScript for type safety
- Pre-commit hooks prevent committing sensitive files